Project

General

Profile

Actions

Feature #3663

closed

DNS: Parse and extract DNS NULL records

Added by Konstantin Klinger over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

At the moment the DNS parser gives you "NULL" as rrtype, but the related metadata of those NULL records/DNS packets is missing. In the attached eve.json you can find the current output.

I would expect something like this (equivalent to the content from packet 18 in Wireshark output):
Null (data): 42617365313238

This is related to Feature #2970


Files

dns-tunnel-iodine.pcap (75.7 KB) dns-tunnel-iodine.pcap Konstantin Klinger, 04/23/2020 07:13 AM
eve.json (388 KB) eve.json Konstantin Klinger, 04/23/2020 07:13 AM
Actions #1

Updated by Victor Julien over 4 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

@Simon Dugas are you interested in this one?

Actions #2

Updated by Simon Dugas over 4 years ago

Victor Julien wrote in #note-1:

@Simon Dugas are you interested in this one?

Yes I can look into it. I should have something ready and dependent on https://redmine.openinfosecfoundation.org/issues/2970.

Actions #3

Updated by Sascha Steinbiss almost 4 years ago

Just FYI, I have also started working on this and have also added possibly interesting RR types such as SRV and NS.
NULL and NS are straightforward as they are simple buffers or domain names, but SRV needed another structured sub-object. Please see https://github.com/OISF/suricata/commit/e449676eee1f120f527222253e4efe939330b98e for a first shot. Happy to prepare a PR.

Actions #5

Updated by Philippe Antoine over 3 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF